Combating fraud against the public sector through faster and simpler access to data
General comments: Fraud investigations can be a legitimate use of data sharing, if done narrowly and proportionately and does not involve wholesale data matching. These proposals contain considerable detail and have clearly been thought through. Unfortunately, in our view they still need more work. Our main area of concern is the review of the powers and the apparent lack of Parliamentary involvement, abandoning the sunset approach. Other issues: It is positive that the proposed new power is centred on enabling pilot projects to test ways of preventing and combating fraud against the public sector. It is unclear however, how this will be enforced in the legislation. The Government proposes to extend the power to private organisations that provide services to a public authority. As a safeguard the proposed legislation limits that these types of bodies can only use the data for the function that it exercises for a public authority. We are not sure why the general power needs to be extended in such a manner and these situations cannot be dealt with as part of the contracts for service delivery. This needs to be explained, as in principle we would be opposed to this. The drafting of the powers in the clauses is too broad, potentially allowing any data to be ingested by public bodies for fraud purposes. The draft clauses include very different activities. Our understanding was that the programme was about prevention, detection and investigation of fraud. The actual draft clauses include: “prosecuting fraud of that kind; bringing civil proceedings as a result of fraud of that kind; taking administrative action as a result of fraud of that kind”. Once that fraud has been confirmed we would expect that normal procedures would take over. Extending the power to prosecutions and enforcement is very different and needs more consideration and better explanation. The proposals on fraud are sensitive because there is a thin line separating it from errors, ultimately the intention involved. Indeed, during the discussions with the Cabinet Office we looked at the use of data to reduce administrative errors and prevent fraud as part of the same processes. Error is now not mentioned except in passing, and Government should explain why. More generally, there is a wider public policy debate as to the focus of fraud investigations, and whether small scale fraud by ordinary people, sole traders and small businesses is disproportionately targeted in relation to tax avoidance by high net worth individuals and corporations. In the three years since we started looking at these proposals the social climate and potential legitimacy of such measures have changed substantially. 10. Are there other measures which could be set out in the Code of Practice covering the proposed new power to combat fraud to strengthen the safeguards around access to data by specified public authorities? More safeguards and limitations in scope should be set out in the bill, and expanded in the code. The draft clauses have limitations on sensitive data (race, religion, trade union membership…). It would be simpler to refer to data protection law to avoid potential inconsistencies. Draft clause 3(2)a allows for the disclosure of data “which is required or permitted by any enactment” and the next clause if it “is required by an EU obligation”. These exemptions are too broad and could make any safeguards practically useless. The clause does not apply to HMRC data. To ensure that the disclosure of data under this power is consistent with the Data Protection Act 1998, it is proposed that the legislation explicitly states that data cannot be disclosed under the new power if it contravenes the DPA or Part 1 of the Regulation of Investigatory Powers Act 2000. This may not be enough, and both legislations are in the process of being superseded. More specific safeguards should be provided. A definition of personal information for the purpose of the power is included in the legislation, covering legal persons. The relationship to data protection - covering natural persons - needs to be clarified. It is positive to see a proposed Strategic Steering Group which would include representatives from Government, interested Civil Society Organisations and independent observers. We broadly support the proposed three stage process, moving from validation to light analytics, to detailed analytics. However, although it is true that at each stage the number of people under consideration would be reduced, the richness of the data would increase and new safeguards should be triggered. The proposed principles for the Code of Practice are sound, but there is no reason not to mention some of them in primary legislation: a. all participating organisations must submit themselves to audit by the Information Commissioner; b. all participating organisations must publish Privacy Impact Assessments in relation to their data disclosures once the power is commenced; c. all participating organisations must periodically publish the measurement data coming from the data sharing arrangements; and d. all recommendations of the Strategic Steering Group being published and made available online. Transparency over the data sharing is important, although we understand concerns about hindering enforcement by tipping off would be fraudsters. It would be important that impact assessments and other documents are detailed enough to allow proper scrutiny. 11. It is proposed that the power to improve access to information by public authorities to combat fraud will be reviewed by the Minister after a defined period of time. This time will allow for pilots to be established and outcomes and benefits evaluated. How long should the Fraud gateway be operational for before it is reviewed? It is proposed that the power be reviewed three years after it comes into force, with a decision then taken whether to amend or repeal the power. Criteria for reviewing the power would be published by the relevant Minister. It is proposed that the review itself would be carried out in consultation with the Information Commissioner’s Office and other appropriate persons and the results published and laid before Parliament. We do not have a view on the best time period but it should enable proper assessment. It would be better to have a longer period than rush an incomplete review. We are very concerned about moving away from a sunset clause, which was the view taken during the open policy-making discussions. We do not believe that carrying out a review and then providing the relevant Minister the option to repeal the legislation is an equivalent safeguard against potential future abuse. There is very little evidence of legislation ever being repealed in such a manner. We can see the attractiveness of avoiding the need to reintroduce the powers in primary legislation if the powers proved to be effective; but not at the cost of abandoning Parliamentary approval. We don’t agree that “the approach taken in the proposed legislation is consistent with the spirit of what was agreed during the open policy-making process”. The decision to continue with the legislation should not fall to the Minister but Parliament. Interim procedures or some other solutions would need to be found to ensure that was is working is not abandoned. Here, as in the rest of the data sharing process, we must find the balance between flexibility and protection of rights. The document makes this clear when stating that the current numerous express gateways on fraud have been designed “to be specific to ensure a smooth passage through parliament”. We must be careful that the process does not appear to bypass future democratic controls. The successful completion of the pilot period would not simply trigger the extension of the powers, but also their expansion from pilots into wider use. Surely this will need to be discussed and agreed.
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- Please support ORG's work - join and help fund our future: https://www.openrightsgroup.org/join To unsubscribe, send a blank email to org-discuss-le...@lists.openrightsgroup.org or use https://lists.openrightsgroup.org/listinfo/org-discuss
